{"rapid7blog": [{"lastseen": "2021-03-19T18:50:07", "bulletinFamily": "info", "cvelist": ["CVE-2010-4221"], "description": "## Windows Server 2012 Fun\n\n\n\nCommunity contributor [Erik Wynter](<https://github.com/kalba-security>) added a local exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14776>) for a DLL hijacking vulnerability he discovered in Windows Server 2012. The `TiWorker.exe` process that runs as `NT AUTHORITY\\SYSTEM` attempts to load `SrClient.dll`, which does not exist on the system. Because of this, privilege escalation is possible, but the success of the exploit relies on two things: The user that the current session is running as must be able to write the payload to the file system as `SrClient.dll`, and directory the payload is placed in must be present in the system path. Assuming the aforementioned requirements are met, the exploit module writes the payload to the target and leverages the `wuauclt` utility to spawn `TiWorker.exe` which then loads the malicious DLL and results in a Meterpreter session running as `NT AUTHORITY\\SYSTEM`.\n\n## Some Metasploit Improvements\n\nFirst-time Metasploit contributor, [thesunRider](<https://github.com/thesunRider>) made an [addition](<https://github.com/rapid7/metasploit-framework/pull/14882>) to the `Msf::Exploit::Remote::HTTP::Wordpress::Users` mixin, specifically the `wordpress_user_exists?()` method. This change extends the regex used in determining valid accounts on Wordpress installations, and most importantly, this adds support for Wordpress `5.x` versions to the `auxiliary/scanner/http/wordpress_login_enum` module.\n\nCommunity contributor [geyslan](<https://github.com/geyslan>) modified the `linux/x86/exec` [payload module](<https://github.com/rapid7/metasploit-framework/pull/14661>) to be generated with metasm and introduced a new option for the payload, `NullFreeVersion`, which allows users to choose between generating a standard version of the payload or a null byte free version. Both versions of the payload are fairly small; however, the new null byte free variant is especially useful for exploits with payload size constraints, as opting for an encoder could potentially expand the payload\u2019s size beyond the requirements for successful exploitation.\n\n[bcoles](<https://github.com/bcoles>) made a number of substantial [improvements](<https://github.com/rapid7/metasploit-framework/pull/14757>) to the `exploit/linux/http/nagios_xi_magpie_debug` module that include bug fixes and coverage for older versions of Nagios. Additionally, the changes improve the stealth and reliability of the module by ensuring the proper deletion of uploaded artifacts and falling back to a low-privilege session in the event that the exploit\u2019s privilege escalation attempt fails.\n\n## New Modules (1)\n\n * [Windows Server 2012 SrClient DLL hijacking](<https://github.com/rapid7/metasploit-framework/pull/14776>) by Erik Wynter\n\n## Enhancements and features\n\n * [#14661](<https://github.com/rapid7/metasploit-framework/pull/14661>) from [geyslan](<https://github.com/geyslan>) Updated the `linux/x86/exec` payload to now use metasm, making the source code more readable and adds a new, larger NULL byte free variant.\n * [#14757](<https://github.com/rapid7/metasploit-framework/pull/14757>) from [bcoles](<https://github.com/bcoles>) Improved the `exploits/linux/http/nagios_xi_magpie_debug` module to automatically check if the target is vulnerable, as well as improved error handling and documentation. Additionally, the module has been updated so that it supports older versions of Nagios by adding additional writable paths that the exploit can use, and a fallback mechanism has been implemented to gain a shell as `apache` if the privilege elevation attempt fails.\n * [#14794](<https://github.com/rapid7/metasploit-framework/pull/14794>) from [bcoles](<https://github.com/bcoles>) Improved the `exploits/windows/http/dup_scout_enterprise_login_bof` module to add: support for v9.9.14 of Dup Scout Enterprise, additional `Notes` which may help pentesters determine the potential side effects of the exploit, support for the `AutoCheck` mixin to allow users to automatically check if a target is vulnerable prior to exploiting it, support for automatic targeting whereby the exploit will automatically determine the version of the target and will adjust the exploit accordingly if it is vulnerable, and compliance with new RuboCop standards.\n * [#14877](<https://github.com/rapid7/metasploit-framework/pull/14877>) from [security-curious](<https://github.com/security-curious>) Updated the `post/multi/gather/firefox_creds` module to support gathering profiles from newer versions of Firefox which now use the default profile name of `.default-release` vs. the old name of `.default`.\n * [#14882](<https://github.com/rapid7/metasploit-framework/pull/14882>) from [thesunRider](<https://github.com/thesunRider>) Improved `lib/msf/core/exploit/remote/http/wordpress/users.rb` to support valid username identification and login identification for newer versions of WordPress up-to-and-including 5.7.\n\n## Bugs Fixed\n\n * [#14824](<https://github.com/rapid7/metasploit-framework/pull/14824>) from [astutejoe](<https://github.com/astutejoe>) Fixed an issue with the `auxiliary/scanner/http/http_traversal` scanner to avoid a NULL pointer crash when a server's response body is empty. Also fixed another bug whereby empty files would be created if the server responded with a 404 response code but the body of the response was empty.\n * [#14856](<https://github.com/rapid7/metasploit-framework/pull/14856>) from [capme](<https://github.com/capme>) Fixed an issue in the two modules targeting [CVE-2010-4221](<https://attackerkb.com/topics/10YF1t5CMS/cve-2010-4221?referrer=blog>) where the ProFTPD version number without a letter suffix was being incorrectly identified as not vulnerable.\n * [#14863](<https://github.com/rapid7/metasploit-framework/pull/14863>) from [dwelch-r7](<https://github.com/dwelch-r7>) Fixed db_import functionality whilst connected to the remote data service.\n * [#14887](<https://github.com/rapid7/metasploit-framework/pull/14887>) from [space-r7](<https://github.com/space-r7>) Fixed a previous feature which added the readability of Meterpreter error messages via replacing the command ID with the command name to now work with older versions of Ruby.\n * [#14888](<https://github.com/rapid7/metasploit-framework/pull/14888>) from [timwr](<https://github.com/timwr>) Fixed two Unicode related bugs preventing recursive download of files or folders containing UTF8 characters, or otherwise open or interact with these files, via Meterpreter. This has now been addressed for common commands such as edit, download and cd.\n * [#14897](<https://github.com/rapid7/metasploit-framework/pull/14897>) from [adfoster-r7](<https://github.com/adfoster-r7>) Corrected a few instances where module documentation was not using the correct naming convention, preventing the documentation from being accessible.\n * [#14899](<https://github.com/rapid7/metasploit-framework/pull/14899>) from [dwelch-r7](<https://github.com/dwelch-r7>) Fixed loading of the REXML library to ensure it is always available for usage within modules.\n * [#14905](<https://github.com/rapid7/metasploit-framework/pull/14905>) from [jmartin-r7](<https://github.com/jmartin-r7>) Fixed an issue where exploit exceptions other than `Interrupt` could skip proper clean-up.\n * [#14911](<https://github.com/rapid7/metasploit-framework/pull/14911>) from [friedrico](<https://github.com/friedrico>) The `impersonate_ssl.rb` module has been updated to add a new SNI option for retrieving the SSL Certificate, allowing it to properly retrieve SSL certificates in cases where the SNI option needs to be appropriately specified. In addition, RuboCop changes have also been applied to tidy up the code and remove some dangerous code in favor of safer solutions.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.34...6.0.36](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-03-11T15%3A08%3A27-06%3A00..2021-03-18T09%3A30%3A28-05%3A00%22>)\n * [Full diff 6.0.34...6.0.36](<https://github.com/rapid7/metasploit-framework/compare/6.0.34...6.0.36>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-03-19T17:42:45", "published": "2021-03-19T17:42:45", "id": "RAPID7BLOG:D11483BD768B9F588E753A15FC6F5620", "href": "https://blog.rapid7.com/2021/03/19/metasploit-wrap-up-103/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-20T04:43:29", "description": "The version of WebLogic Server installed on the remote host is affected by multiple vulnerabilities as referenced in\nthe October 2020 CPU advisory.\n\n - An unspecified vulnerability exists in the Console component. An unauthenticated, remote attacker with\n network access via HTTP can exploit this issue to compromise the server. Successful attacks of this \n vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14750, CVE-2020-14882)\n\n - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit \n this issue via the IIOP and T3 protocols to compromise the server. Successful attacks of this\n vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14859)\n\n - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit\n this issue via the IIOP protocol to compromise the server. Successful attacks of this vulnerability can\n result in takeover of Oracle WebLogic Server. (CVE-2020-14841)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 8, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-22T00:00:00", "title": "Oracle WebLogic Server Multiple Vulnerabilities (Oct 2020 CPU)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14841", "CVE-2020-14882", "CVE-2020-14750", "CVE-2020-11022", "CVE-2020-14757", "CVE-2020-14820", "CVE-2020-14883", "CVE-2019-17267", "CVE-2020-9488", "CVE-2020-14859", "CVE-2020-14825"], "modified": "2020-10-22T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server", "cpe:/a:oracle:fusion_middleware"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2020.NASL", "href": "https://www.tenable.com/plugins/nessus/141807", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141807);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/19\");\n\n script_cve_id(\n \"CVE-2019-17267\",\n \"CVE-2020-9488\",\n \"CVE-2020-11022\",\n \"CVE-2020-14750\",\n \"CVE-2020-14757\",\n \"CVE-2020-14820\",\n \"CVE-2020-14825\",\n \"CVE-2020-14841\",\n \"CVE-2020-14859\",\n \"CVE-2020-14882\",\n \"CVE-2020-14883\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0478\");\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (Oct 2020 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of WebLogic Server installed on the remote host is affected by multiple vulnerabilities as referenced in\nthe October 2020 CPU advisory.\n\n - An unspecified vulnerability exists in the Console component. An unauthenticated, remote attacker with\n network access via HTTP can exploit this issue to compromise the server. Successful attacks of this \n vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14750, CVE-2020-14882)\n\n - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit \n this issue via the IIOP and T3 protocols to compromise the server. Successful attacks of this\n vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14859)\n\n - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit\n this issue via the IIOP protocol to compromise the server. Successful attacks of this vulnerability can\n result in takeover of Oracle WebLogic Server. (CVE-2020-14841)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuoct2020cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2020.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/alert-cve-2020-14750.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2020 Oracle Critical Patch Update advisory and the Oracle Security\nAlert advisory for CVE-2020-14750.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14859\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle WebLogic Server Administration Console Handle RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\", \"installed_sw/Oracle Data Integrator Embedded Weblogic Server\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('install_func.inc');\n\napp_name = 'Oracle WebLogic Server';\napp_name_odi = 'Oracle Data Integrator Embedded Weblogic Server';\n\nos = get_kb_item_or_exit('Host/OS');\nif ('windows' >< tolower(os))\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n}\nelse port = 0;\n\nnormal_installs = get_installs(app_name:app_name, port:port, exit_if_not_found:FALSE);\nodi_installs = get_installs(app_name:app_name_odi, port:port, exit_if_not_found:FALSE);\nall_installs = {};\n\nif (odi_installs[0] == IF_OK)\n all_installs = odi_installs[1];\n\nif (normal_installs[0] == IF_OK)\n all_installs = make_list2(all_installs, normal_installs[1]);\n\nif (empty(all_installs))\n audit(AUDIT_NOT_INST, app_name + ' or ' + app_name_odi);\n\ninstall = branch(all_installs);\nversion = install['version'];\n\nfix = NULL;\nfix_ver = NULL;\n\nif (version =~ \"^14\\.1\\.1\\.0($|[^0-9])\")\n{\n fix_ver = '14.1.1.0.200930';\n fix = make_list('31957062', '32097180');\n}\nelse if (version =~ \"^12\\.2\\.1\\.4($|[^0-9])\")\n{\n fix_ver = '12.2.1.4.201001';\n fix = make_list('31960985', '32097167');\n}\nelse if (version =~ \"^12\\.2\\.1\\.3($|[^0-9])\")\n{\n fix_ver = '12.2.1.3.201001';\n fix = make_list('31961038', '32097173');\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = '12.1.3.0.201020';\n fix = make_list('31656851', '32097177');\n}\nelse if (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = '10.3.6.0.201020';\n fix = make_list('NA7A', 'KYRS');\n}\n\nif (isnull(fix_ver) || ver_compare(ver:version, fix:fix_ver, strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, install['path']);\n\nelse {\n report =\n '\\n Oracle Home : ' + install['Oracle Home'] +\n '\\n Install path : ' + install['path'] +\n '\\n Version : ' + version +\n '\\n Fixes : ' + join(sep:', ', fix);\n security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-02T07:36:59", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). The supported version that is affected is 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).", "edition": 3, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.2}, "published": "2020-10-21T15:15:00", "title": "CVE-2020-14757", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14757"], "modified": "2020-10-22T15:31:00", "cpe": ["cpe:/a:oracle:weblogic_server:12.2.1.3.0"], "id": "CVE-2020-14757", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14757", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:12:52", "description": "An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed Contacts application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim that will inject HTML into the Contacts application (assuming the victim chooses to import the file). At a bare minimum, this allows an attacker to take control over the Contacts application's UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-09-14T20:15:00", "title": "CVE-2019-14757", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14757"], "modified": "2020-09-17T15:28:00", "cpe": ["cpe:/o:kaiostech:kaios:2.5.1", "cpe:/o:kaiostech:kaios:2.5"], "id": "CVE-2019-14757", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14757", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:kaiostech:kaios:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:kaiostech:kaios:2.5:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:36:37", "description": "OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xDashboard/html/jobhistory/downloadSupportFile.action, parameter: jobRunId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-10-03T01:29:00", "title": "CVE-2017-14757", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14757"], "modified": "2017-10-18T01:29:00", "cpe": ["cpe:/a:opentext:document_sciences_xpression:4.5"], "id": "CVE-2017-14757", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14757", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:opentext:document_sciences_xpression:4.5:sp1:*:*:*:*:*:*"]}], "oracle": [{"lastseen": "2020-12-24T15:41:14", "bulletinFamily": "software", "cvelist": ["CVE-2013-7285", "CVE-2015-1832", "CVE-2015-9251", "CVE-2016-0701", "CVE-2016-1000031", "CVE-2016-1000338", "CVE-2016-1000339", "CVE-2016-1000340", "CVE-2016-1000341", "CVE-2016-1000342", "CVE-2016-1000343", "CVE-2016-1000344", "CVE-2016-1000345", "CVE-2016-1000346", "CVE-2016-1000352", "CVE-2016-10244", "CVE-2016-10328", "CVE-2016-2167", "CVE-2016-2168", "CVE-2016-2183", "CVE-2016-2510", "CVE-2016-3189", "CVE-2016-4800", "CVE-2016-5000", "CVE-2016-5300", "CVE-2016-5725", "CVE-2016-6153", "CVE-2016-6306", "CVE-2016-8610", "CVE-2016-8734", "CVE-2017-10989", "CVE-2017-12626", "CVE-2017-13098", "CVE-2017-13685", "CVE-2017-13745", "CVE-2017-14232", "CVE-2017-15095", "CVE-2017-15286", "CVE-2017-17485", "CVE-2017-3164", "CVE-2017-5644", "CVE-2017-5645", "CVE-2017-5662", "CVE-2017-7525", "CVE-2017-7656", "CVE-2017-7657", "CVE-2017-7658", "CVE-2017-7857", "CVE-2017-7858", "CVE-2017-7864", "CVE-2017-8105", "CVE-2017-8287", "CVE-2017-9096", "CVE-2017-9735", "CVE-2017-9800", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000873", "CVE-2018-11054", "CVE-2018-11055", "CVE-2018-11056", "CVE-2018-11057", "CVE-2018-11058", "CVE-2018-11307", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-12536", "CVE-2018-12538", "CVE-2018-12545", "CVE-2018-14718", "CVE-2018-15769", "CVE-2018-17196", "CVE-2018-18873", "CVE-2018-19139", "CVE-2018-19539", "CVE-2018-19540", "CVE-2018-19541", "CVE-2018-19542", "CVE-2018-19543", "CVE-2018-20346", "CVE-2018-20505", "CVE-2018-20506", "CVE-2018-20570", "CVE-2018-20584", "CVE-2018-20622", "CVE-2018-20843", "CVE-2018-2765", "CVE-2018-3693", "CVE-2018-5382", "CVE-2018-5968", "CVE-2018-6942", "CVE-2018-7489", "CVE-2018-8013", "CVE-2018-8088", "CVE-2018-8740", "CVE-2018-9055", "CVE-2018-9154", "CVE-2018-9252", "CVE-2019-0192", "CVE-2019-0201", "CVE-2019-10072", "CVE-2019-10097", "CVE-2019-1010239", "CVE-2019-10173", "CVE-2019-10241", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-10744", "CVE-2019-11048", "CVE-2019-11358", "CVE-2019-11477", "CVE-2019-11478", "CVE-2019-11479", "CVE-2019-11834", "CVE-2019-11835", "CVE-2019-11922", "CVE-2019-12086", "CVE-2019-12260", "CVE-2019-12261", "CVE-2019-12384", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-12419", "CVE-2019-12423", "CVE-2019-12814", "CVE-2019-12900", "CVE-2019-13990", "CVE-2019-14379", "CVE-2019-14540", "CVE-2019-14893", "CVE-2019-1547", "CVE-2019-1549", "CVE-2019-1552", "CVE-2019-1563", "CVE-2019-15903", "CVE-2019-16168", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17091", "CVE-2019-17267", "CVE-2019-17359", "CVE-2019-17495", "CVE-2019-17531", "CVE-2019-17543", "CVE-2019-17558", "CVE-2019-17569", "CVE-2019-17632", "CVE-2019-17638", "CVE-2019-18348", "CVE-2019-20330", "CVE-2019-2897", "CVE-2019-2904", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-5018", "CVE-2019-5427", "CVE-2019-5435", "CVE-2019-5436", "CVE-2019-5443", "CVE-2019-5481", "CVE-2019-5482", "CVE-2019-8457", "CVE-2019-9511", "CVE-2019-9513", "CVE-2019-9936", "CVE-2019-9937", "CVE-2020-10108", "CVE-2020-10543", "CVE-2020-10650", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10722", "CVE-2020-10723", "CVE-2020-10724", "CVE-2020-10878", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-11984", "CVE-2020-11993", "CVE-2020-11996", "CVE-2020-12243", "CVE-2020-12723", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-13920", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-14672", "CVE-2020-14731", "CVE-2020-14732", "CVE-2020-14734", "CVE-2020-14735", "CVE-2020-14736", "CVE-2020-14740", "CVE-2020-14741", "CVE-2020-14742", "CVE-2020-14743", "CVE-2020-14744", "CVE-2020-14745", "CVE-2020-14746", "CVE-2020-14752", "CVE-2020-14753", "CVE-2020-14754", "CVE-2020-14757", "CVE-2020-14758", "CVE-2020-14759", "CVE-2020-14760", "CVE-2020-14761", "CVE-2020-14762", "CVE-2020-14763", "CVE-2020-14764", "CVE-2020-14765", "CVE-2020-14766", "CVE-2020-14767", "CVE-2020-14768", "CVE-2020-14769", "CVE-2020-14770", "CVE-2020-14771", "CVE-2020-14772", "CVE-2020-14773", "CVE-2020-14774", "CVE-2020-14775", "CVE-2020-14776", "CVE-2020-14777", "CVE-2020-14778", "CVE-2020-14779", "CVE-2020-14780", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14783", "CVE-2020-14784", "CVE-2020-14785", "CVE-2020-14786", "CVE-2020-14787", "CVE-2020-14788", "CVE-2020-14789", "CVE-2020-14790", "CVE-2020-14791", "CVE-2020-14792", "CVE-2020-14793", "CVE-2020-14794", "CVE-2020-14795", "CVE-2020-14796", "CVE-2020-14797", "CVE-2020-14798", "CVE-2020-14799", "CVE-2020-14800", "CVE-2020-14801", "CVE-2020-14802", "CVE-2020-14803", "CVE-2020-14804", "CVE-2020-14805", "CVE-2020-14806", "CVE-2020-14807", "CVE-2020-14808", "CVE-2020-14809", "CVE-2020-14810", "CVE-2020-14811", "CVE-2020-14812", "CVE-2020-14813", "CVE-2020-14814", "CVE-2020-14815", "CVE-2020-14816", "CVE-2020-14817", "CVE-2020-14818", "CVE-2020-14819", "CVE-2020-14820", "CVE-2020-14821", "CVE-2020-14822", "CVE-2020-14823", "CVE-2020-14824", "CVE-2020-14825", "CVE-2020-14826", "CVE-2020-14827", "CVE-2020-14828", "CVE-2020-14829", "CVE-2020-14830", "CVE-2020-14831", "CVE-2020-14832", "CVE-2020-14833", "CVE-2020-14834", "CVE-2020-14835", "CVE-2020-14836", "CVE-2020-14837", "CVE-2020-14838", "CVE-2020-14839", "CVE-2020-14840", "CVE-2020-14841", "CVE-2020-14842", "CVE-2020-14843", "CVE-2020-14844", "CVE-2020-14845", "CVE-2020-14846", "CVE-2020-14847", "CVE-2020-14848", "CVE-2020-14849", "CVE-2020-14850", "CVE-2020-14851", "CVE-2020-14852", "CVE-2020-14853", "CVE-2020-14854", "CVE-2020-14855", "CVE-2020-14856", "CVE-2020-14857", "CVE-2020-14858", "CVE-2020-14859", "CVE-2020-14860", "CVE-2020-14861", "CVE-2020-14862", "CVE-2020-14863", "CVE-2020-14864", "CVE-2020-14865", "CVE-2020-14866", "CVE-2020-14867", "CVE-2020-14868", "CVE-2020-14869", "CVE-2020-14870", "CVE-2020-14871", "CVE-2020-14872", "CVE-2020-14873", "CVE-2020-14875", "CVE-2020-14876", "CVE-2020-14877", "CVE-2020-14878", "CVE-2020-14879", "CVE-2020-14880", "CVE-2020-14881", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-14884", "CVE-2020-14885", "CVE-2020-14886", "CVE-2020-14887", "CVE-2020-14888", "CVE-2020-14889", "CVE-2020-14890", "CVE-2020-14891", "CVE-2020-14892", "CVE-2020-14893", "CVE-2020-14894", "CVE-2020-14895", "CVE-2020-14896", "CVE-2020-14897", "CVE-2020-14898", "CVE-2020-14899", "CVE-2020-14900", "CVE-2020-14901", "CVE-2020-15358", "CVE-2020-15389", "CVE-2020-1730", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1950", "CVE-2020-1951", "CVE-2020-1953", "CVE-2020-1954", "CVE-2020-1967", "CVE-2020-2555", "CVE-2020-3235", "CVE-2020-3909", "CVE-2020-4051", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-7067", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8840", "CVE-2020-9281", "CVE-2020-9327", "CVE-2020-9409", "CVE-2020-9410", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9489", "CVE-2020-9490", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n \nStarting with the October 2020 Critical Patch Update, Oracle lists updates that address vulnerabilities in third-party components which are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix. Oracle has published two versions of the October 2020 Critical Patch Update Advisory: this version of the advisory implemented the change in how non-exploitable vulnerabilities in third-party components are reported, and the \u201ctraditional\u201d advisory follows the same format as the previous advisories. The \u201ctraditional\u201d advisory is published at <https://www.oracle.com/security-alerts/cpuoct2020traditional.html>. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 403 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2020 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2712240.1>).\n", "modified": "2020-12-08T00:00:00", "published": "2020-10-20T00:00:00", "id": "ORACLE:CPUOCT2020", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - October 2020", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ossfuzz": [{"lastseen": "2020-04-03T13:45:34", "bulletinFamily": "software", "cvelist": [], "description": "Detailed report: https://oss-fuzz.com/testcase?key=5739308486492160\n\nProject: libical\nFuzzer: libFuzzer_libical_fuzzer\nFuzz target binary: libical_fuzzer\nJob Type: libfuzzer_msan_libical\nPlatform Id: linux\n\nCrash Type: Use-of-uninitialized-value\nCrash Address: \nCrash State:\n pvl_pop\n icalcomponent_free\n icaltimezone_reset\n \nSanitizer: memory (MSAN)\n\nRecommended Security Severity: Medium\n\nReproducer Testcase: https://oss-fuzz.com/download?testcase_id=5739308486492160\n\nIssue filed automatically.\n\nSee https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for instructions to reproduce this bug locally.\n\nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse\nwithout an upstream patch, then the bug report will automatically\nbecome visible to the public.\n\nWhen you fix this bug, please\n * mention the fix revision(s).\n * state whether the bug was a short-lived regression or an old bug in any stable releases.\n * add any other useful information.\nThis information can help downstream consumers.\n\nIf you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues.", "modified": "2019-06-27T15:26:45", "published": "2019-05-14T15:23:11", "id": "OSSFUZZ-14757", "href": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14757", "type": "ossfuzz", "title": "libical/libical_fuzzer: Use-of-uninitialized-value in pvl_pop", "cvss": {}}], "exploitdb": [{"lastseen": "2017-10-02T19:53:41", "description": "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection. CVE-2017-14757. Webapps exploit for JSP platform. Tags: SQL Injection (SQLi)", "published": "2017-10-02T00:00:00", "type": "exploitdb", "title": "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14757"], "modified": "2017-10-02T00:00:00", "id": "EDB-ID:42940", "href": "https://www.exploit-db.com/exploits/42940/", "sourceData": "Title: OpenText Document Sciences xPression (formerly EMC Document\r\nSciences xPression) - SQL Injection\r\nAuthor: Marcin Woloszyn\r\nDate: 27. September 2017\r\nCVE: CVE-2017-14757\r\n\r\nAffected Software:\r\n==================\r\nOpenText Document Sciences xPression (formerly EMC Document Sciences xPression)\r\n\r\nExploit was tested on:\r\n======================\r\nv4.5SP1 Patch 13 (older versions might be affected as well)\r\n\r\nSQL Injection:\r\n==============\r\n\r\nDue to lack of prepared statements an application is prone to SQL\r\nInjection attacks.\r\nPotential attacker can retrieve data from application database by\r\nexploiting the issue.\r\n\r\nVector :\r\n--------\r\n\r\nhttps://[...]/xAdmin/html/cm_doclist_view_uc.jsp?cat_id=503&documentId=185365177756%20and%201=1&documentType=xDesignPublish&documentName=ContractRealEstate\r\n\r\n ^\r\nResults can be retrieved using blind SQL injection method.\r\n\r\nFix:\r\n====\r\nhttps://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774\r\n\r\nContact:\r\n========\r\nmw[at]nme[dot]pl", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42940/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOpenText Document Sciences xPression 4.5SP1 Patch 13 - jobRunId SQL Injection", "edition": 1, "published": "2017-10-02T00:00:00", "title": "OpenText Document Sciences xPression 4.5SP1 Patch 13 - jobRunId SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14757"], "modified": "2017-10-02T00:00:00", "id": "EXPLOITPACK:4EE61B7B70CB73F2989EE9DBF3F38538", "href": "", "sourceData": "Title: OpenText Document Sciences xPression (formerly EMC Document\nSciences xPression) - SQL Injection\nAuthor: Marcin Woloszyn\nDate: 27. September 2017\nCVE: CVE-2017-14757\n\nAffected Software:\n==================\nOpenText Document Sciences xPression (formerly EMC Document Sciences xPression)\n\nExploit was tested on:\n======================\nv4.5SP1 Patch 13 (older versions might be affected as well)\n\nSQL Injection:\n==============\n\nDue to lack of prepared statements an application is prone to SQL\nInjection attacks.\nPotential attacker can retrieve data from application database by\nexploiting the issue.\n\nVector :\n--------\n\nTrue: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1\nFalse: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2\n\nAdditionally:\n\nhttp://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa\n\nResults in the following error in response:\n\nHTTP/1.1 200 OK\n[...]\n <b>Errors: </b>\n\n See nested exception; nested exception is:\njava.lang.RuntimeException:\ncom.dsc.uniarch.cr.error.CRException: CRReportingSL: Method\ngetJobRunsByIds did not succeed because of a database operation\nfailure.;\n	---> nested com.dsc.uniarch.cr.error.CRSyntaxException:\nDatabase syntax error :SELECT JOBRUN_ID, JOB_NAME,\nPUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,\nDISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID\nFROM T_JOBRUN WHERE\nJOBRUN_ID=1502642747222443244706554841153aaa.;\n	---> nested java.sql.SQLSyntaxErrorException:\nORA-00933: SQL command not properly ended\n\nAn attacker can see whole query and injection point. This can also be\nused for error-based data extraction.\n\nFix:\n====\nhttps://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774\n\nContact:\n========\nmw[at]nme[dot]pl", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-04-14T23:52:08", "edition": 1, "description": "Exploit for jsp platform in category web applications", "published": "2017-10-02T00:00:00", "title": "OpenText Document Sciences xPression 4.5SP1 Patch 13 - documentId SQL Injection Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14757"], "modified": "2017-10-02T00:00:00", "href": "https://0day.today/exploit/description/28722", "id": "1337DAY-ID-28722", "sourceData": "Title: OpenText Document Sciences xPression (formerly EMC Document\r\nSciences xPression) - SQL Injection\r\nAuthor: Marcin Woloszyn\r\nDate: 27. September 2017\r\nCVE: CVE-2017-14757\r\n \r\nAffected Software:\r\n==================\r\nOpenText Document Sciences xPression (formerly EMC Document Sciences xPression)\r\n \r\nExploit was tested on:\r\n======================\r\nv4.5SP1 Patch 13 (older versions might be affected as well)\r\n \r\nSQL Injection:\r\n==============\r\n \r\nDue to lack of prepared statements an application is prone to SQL\r\nInjection attacks.\r\nPotential attacker can retrieve data from application database by\r\nexploiting the issue.\r\n \r\nVector :\r\n--------\r\n \r\nhttps://[...]/xAdmin/html/cm_doclist_view_uc.jsp?cat_id=503&documentId=185365177756%20and%201=1&documentType=xDesignPublish&documentName=ContractRealEstate\r\n \r\n ^\r\nResults can be retrieved using blind SQL injection method.\r\n \r\nFix:\r\n====\r\nhttps://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774\r\n\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28722"}, {"lastseen": "2018-01-08T17:23:43", "description": "OpenText Document Sciences xPression version 4.5SP1 Patch 13 suffers from a remote SQL injection vulnerability in the doclist functionality.", "edition": 1, "published": "2017-09-30T00:00:00", "title": "OpenText Document Sciences xPression 4.5SP1 Patch 13 SQL Injection Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14757"], "modified": "2017-09-30T00:00:00", "href": "https://0day.today/exploit/description/28677", "id": "1337DAY-ID-28677", "sourceData": "Title: OpenText Document Sciences xPression (formerly EMC Document\r\nSciences xPression) - SQL Injection\r\nAuthor: Marcin Woloszyn\r\nDate: 27. September 2017\r\nCVE: CVE-2017-14757\r\n\r\nAffected Software:\r\n==================\r\nOpenText Document Sciences xPression (formerly EMC Document Sciences xPression)\r\n\r\nExploit was tested on:\r\n======================\r\nv4.5SP1 Patch 13 (older versions might be affected as well)\r\n\r\nSQL Injection:\r\n==============\r\n\r\nDue to lack of prepared statements an application is prone to SQL\r\nInjection attacks.\r\nPotential attacker can retrieve data from application database by\r\nexploiting the issue.\r\n\r\nVector :\r\n--------\r\n\r\nhttps://[...]/xAdmin/html/cm_doclist_view_uc.jsp?cat_id=503&documentId=185365177756%20and%201=1&documentType=xDesignPublish&documentName=ContractRealEstate\r\n\r\n ^\r\nResults can be retrieved using blind SQL injection method.\r\n\r\nFix:\r\n====\r\nhttps://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774\r\n\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28677"}], "packetstorm": [{"lastseen": "2017-09-29T22:20:58", "description": "", "published": "2017-09-29T00:00:00", "type": "packetstorm", "title": "OpenText Document Sciences xPression 4.5SP1 Patch 13 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14757"], "modified": "2017-09-29T00:00:00", "id": "PACKETSTORM:144394", "href": "https://packetstormsecurity.com/files/144394/OpenText-Document-Sciences-xPression-4.5SP1-Patch-13-SQL-Injection.html", "sourceData": "`Title: OpenText Document Sciences xPression (formerly EMC Document \nSciences xPression) - SQL Injection \nAuthor: Marcin Woloszyn \nDate: 27. September 2017 \nCVE: CVE-2017-14757 \n \nAffected Software: \n================== \nOpenText Document Sciences xPression (formerly EMC Document Sciences xPression) \n \nExploit was tested on: \n====================== \nv4.5SP1 Patch 13 (older versions might be affected as well) \n \nSQL Injection: \n============== \n \nDue to lack of prepared statements an application is prone to SQL \nInjection attacks. \nPotential attacker can retrieve data from application database by \nexploiting the issue. \n \nVector : \n-------- \n \nhttps://[...]/xAdmin/html/cm_doclist_view_uc.jsp?cat_id=503&documentId=185365177756%20and%201=1&documentType=xDesignPublish&documentName=ContractRealEstate \n \n^ \nResults can be retrieved using blind SQL injection method. \n \nFix: \n==== \nhttps://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 \n \nContact: \n======== \nmw[at]nme[dot]pl \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144394/opentextdsx-sql.txt"}], "openbugbounty": [{"lastseen": "2017-10-16T23:04:16", "bulletinFamily": "bugbounty", "cvelist": [], "description": "##### Vulnerable URL:\n \n \n https://www.moviemeter.nl/forum/1/14757/search/%22%3E%3Cimg%20src=x%20onerror=prompt('OPENBUGBOUNTY')%3E#messages\n \n\n##### Details:\n\nDescription| Value \n---|--- \nPatched:| No \nLatest check for patch:| 05.09.2017 \nVulnerability type:| XSS \nVulnerability status:| Publicly disclosed \nAlexa Rank| 47253 \nVIP website status:| Yes \nCheck moviemeter.nl SSL connection:| (Grade: A) \n \n##### Coordinated Disclosure Timeline:\n\nDescription| Value \n---|--- \nVulnerability submitted via Open Bug Bounty| 12 June, 2017 07:37 GMT \nVulnerability existence verified and confirmed| 13 June, 2017 09:13 GMT \nGeneric security notifications sent to website owner| 13 June, 2017 09:13 GMT \nCustomized security notification sent to website owner| 13 June, 2017 09:13 GMT \nNotification sent to subscribers (without technical details)| 13 June, 2017 10:17 GMT \nVulnerability details disclosed by researcher| 5 September, 2017 09:55 GMT\n", "modified": "2017-09-05T09:55:00", "published": "2017-06-12T07:37:00", "href": "https://www.openbugbounty.org/reports/247267/", "id": "OBB:247267", "type": "openbugbounty", "title": "moviemeter.nl XSS vulnerability ", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1338"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "title": "apport security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4851"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-030]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4851\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/oramipp_lpr\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32655", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32655", "title": "[ERPSCAN-15-030] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2787-1\r\nOctober 28, 2015\r\n\r\naudiofile vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\naudiofile could be made to crash or run programs as your login if it\r\nopened a specially crafted file.\r\n\r\nSoftware Description:\r\n- audiofile: Open-source version of the SGI audiofile library\r\n\r\nDetails:\r\n\r\nFabrizio Gennari discovered that audiofile incorrectly handled changing\r\nboth the sample format and the number of channels. If a user or automated\r\nsystem were tricked into processing a specially crafted file, audiofile\r\ncould be made to crash, leading to a denial of service, or possibly execute\r\narbitrary code.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libaudiofile1 0.3.6-2ubuntu0.15.10.1\r\n\r\nUbuntu 15.04:\r\n libaudiofile1 0.3.6-2ubuntu0.15.04.1\r\n\r\nUbuntu 14.04 LTS:\r\n libaudiofile1 0.3.6-2ubuntu0.14.04.1\r\n\r\nUbuntu 12.04 LTS:\r\n libaudiofile1 0.3.3-2ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2787-1\r\n CVE-2015-7747\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.10.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.3-2ubuntu0.1\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32652", "title": "[USN-2787-1] audiofile vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}